Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on November 18, 2006 10:28 AM.

The previous post in this blog was Who owns your biometric?.

The next post in this blog is Wireless attacks, strong authentication and good security policies.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Who owns your biometric? | Main | Wireless attacks, strong authentication and good security policies »

How do you spell T-R-O-U-B-L-E?

How do you spell trouble? No, it's not t-r-o-u-b-l-e. It is the increasingly sophisticated forms of cyber attacks by organized crime potentially on your enterprise. Here's how I spell it:

1. Rootkit attacks are now becoming very sophisticated. For example, the "Rustock" or "Mailbot.AZ" virus detected this past summer. It is the first in a new generation of trojan viruses that uses no system processes, which are usually monitored by your AV, ISP and IDS systems. Instead it runs its code inside a driver and kernel threads. Further, instead of being detected by the use of system processes, hidden files and hooks into API's, the virus uses alternate data streams. To make matters worse, it also evades rootkit detector checks on kernel structure integrity. Finally, the sys driver the virus uses changes its code from sample to sample. Add all this up and it means that trying to create a signature file to prevent it from passing through the firewall becomes less and less likely. More information on this can be found here.

2. Then there's the rise in sophistication of botnets by organized crime. Today, many botnets hide in legitimate sites that have been hacked. The legitimate sites send out the commands to the bots. The legitimate sites in turn receive their commands from other bots. This puts a huge challenge in front of companies and police agencies trying to find out the source of the bots. For more information on this click here.

3. Then there is attacks like Blue Pill. By using virtual memory, it is thought to be currently undetectable. For more information on this attack click here. For a recent rebuttal with AMD read here.

4. Then there is the ability to launch a rootkit attack using a PCI device containing a flashable exapnsion ROM. This type of attack is very hard to detect. To read the paper describing this attack pattern, click here.

5. Then there are the numerous MS security flaws. To read about only the latest high risk flaws click here.

6. Just to remind the readers that MS isn't the only one having troubles read the Month of Kernel Bugs page here. For insight into the author of this read the interview with him here.

7. Just to remind readers about how effective current AV tools are at removing rootkit attacks check on page 13 of this report by Symantec. In their own report, they show the test was againt 20 rootkit attacks. Symantec could detect all 20, McAfee 17, Webroot and FSecure 15, Sunbelt 12, Trend 10 and Microsoft 5. All the vendors except for 1 missed 3 or more rootkit attacks. Then there was the cleanup. Symantec could only clean up 16, Webroot and FSecure 8, McAfee 7, Sunbelt 5, Microsoft and Trend 3.

To add to this grim news, check out this test published September 26 of this year that showed the best cleanup success rate against a suite of malware taken from a honey pot was 35.71%.

8. Now consider that as cell phones become increasingly used to communicate with the enterprise digitally and download data from the enterprise systems, that these devices are seen by experts as becoming increasingly used in phishing attacks.

9. Then there is the increase in spear phishing attacks. These types of attacks are increasingly becoming more common as criminals use targeted emails, appearing as if they come from the enterprise to launch their attacks. Read my blog here on this. What happens when the attachment or the email link isn't so obvious as the pink slip spear phishing attack used in the reported story but is a realistic business document?

10. Then there is the usual high risk of an insider attack. The chances of this happening to you grow as organized crime takes on control of the attack using one of your employees, contractors or even the janitors. Their role may be to simply log onto the enterprise system behind the firewall and infect it, or to provide uid's and passwords for key positions, such as payables clerks and managers.

This isn't the sky is falling blog. HOWEVER, the sky is definitely gray and going to get darker for the next two to three years. Too many enterprises have weak perimeters or, even if they have strong perimeters, have weak layers of security behind the firewall.

My message is clear. Plan on having layers of identity based authentication, using stronger and stronger authentication as the user drills towards more sensitive high risk systems, applications or information. Put in place transaction authentication around the most sensitive high risk areas.

Without this, you are blowing around in the wind waiting for the storm to strike you. The worst part is, if you're unlucky, you may not know the storm has even struck. That's when you can really spell TROUBLE.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com


Posted by Guy Huntington on November 18, 2006 10:28 AM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/45

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)